hermes-attestation-guardian

Security checks across malware telemetry and agentic risk

Overview

This Hermes security skill is purpose-aligned and discloses its file writes, advisory feed fetching, and optional cron scheduling behavior.

Install only if you are operating Hermes infrastructure and want local attestation/advisory checks. Review any policy watch paths before use, keep unsigned advisory bypasses temporary, and only run the cron setup with --apply if you intentionally want this skill to add managed recurring jobs to your user crontab.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (3)

Description-Behavior Mismatch

High

Confidence: 89% confidence
Finding: This code reads and rewrites the user's crontab, giving the skill persistent host-level scheduling capability that exceeds passive attestation or drift detection. In the context of a Hermes-only security attestation skill, this creates unnecessary authority and persistence: if the command, schedule binary, or managed block inputs are influenced upstream, the skill can install recurring jobs on the host.

Context-Inappropriate Capability

High

Confidence: 91% confidence
Finding: The skill invokes an external scheduler binary and treats its output as authoritative, then writes modified scheduling configuration back to the host. That is dangerous here because an attestation/drift-detection skill should primarily observe state, not gain the ability to persist execution; this widens the attack surface and can be abused for unauthorized recurring execution if configuration inputs are compromised.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The file silently updates crontab via subprocess and only prints a success message after the change, without an explicit warning in this code path that host scheduling configuration will be altered. Even if intended for automation, undisclosed persistence-related side effects are risky in a security skill because operators may run it expecting assessment behavior, not host configuration changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal